Marko Popović about tension between AI and data protection

Marko Popović, associate at BDK Advokati, spoke on 30 November at the Winter Vivaldi CFO & Legal Forum organized by Mokra Gora School of Management at Mećavnik, in western Serbia. The forum attracted more than 60 participants, mostly CEOs and CFOs of a host of Serbian companies and start-ups alongside software developers, lawyers, accountants, and other professionals. The main topic of the forum was Conducting Business without People – Financial and Legal Consequences.

Together with four other lawyers coming from Serbia’s leading law firms, Marko participated at the panel on the EU General Data Protection Regulation (GDPR), artificial intelligence (AI), blockchain, advertising, and profiling.

Marko stressed the tension which exists between the GDPR requirements for data minimisation and transparent processing, on the one hand, and the volume of data which is necessary for the development of AI, on the other.

As an AI system can become “intelligent” and improve in that regard only if it has enough relevant data to learn from, AI development companies need ever increasing amounts of data to feed into their AI systems. The data minimisation principle, however, requires that personal data processed by the controller must be adequate, relevant and limited to what is necessary for achieving the purpose of the processing. Marko stressed that developers of an AI system may find it difficult to define the purpose of the processing as in some situations it is not (entirely) possible to predict what the algorithm will learn. Moreover, the purpose may also be changed as the AI system learns and further develops. This is at odds with the data minimisation principle as it is difficult to define which data are necessary to achieve the purposes.

Marko also emphasized that it can be challenging to satisfy GDPR’s transparency principle when developing and using AI systems. Specifically, it is rather difficult for companies to provide to data subjects, in clear and plain language as the GDPR requires, “meaningful information about the logic involved” in an AI system.

In a dynamic debate on the use of blockchain that ensued between the panelists and the audience, Marko noted that blockchain system, as a form of distributed ledger technology, runs counter to the GDPR requirements for data minimization, storage limitation and a clearly determined data controller. He also tackled the problem of rectification and erasure of personal data stored in the blockchain as the blockchain architecture is built in such a way that makes it almost impossible or entirely impossible to correct or delete the data.

Marko concluded, backing up his argument with CNIL’s guidance on blockchain, that a possible solution might be to store personal data outside of the blockchain (for instance, on the data controller’s server) and to store on the blockchain only a proof of existence of the data.